R
ROSTER ACCESS

Privacy Policy

Last updated: May 20, 2026

Introduction

Roster Access ("we," "our," or "us") is committed to protecting student privacy and complying with the Illinois Student Online Personal Protection Act (SOPPA). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our roster management and QR code sharing service.

Illinois SOPPA Compliance

Roster Access is designed to comply with the Illinois Student Online Personal Protection Act (105 ILCS 85/). We are committed to:

  • No Targeted Advertising: We will NOT use student data for targeted advertising purposes.
  • No Data Sales: We will NOT sell, rent, or trade student personally identifiable information.
  • No Profiling: We will NOT create profiles of students except in furtherance of K-12 school purposes.
  • Data Deletion: We will delete student data within 160 days of a school's request.
  • Breach Notification: We will notify affected schools within 30 days of discovering a data breach.

Information We Collect

Account Information

When you create an account, we collect your email address, password (stored securely using encryption), and school affiliation.

Covered Information (Student Data)

We store the roster files (CSV or PDF) you upload, which may include student athlete names, jersey numbers, grade levels, positions, and other information contained in your rosters. This constitutes "covered information" under SOPPA.

Usage Information

We collect information about how you interact with our service, including upload dates, roster names, seasons, sports, and QR code generation activity.

How We Use Your Information

We use student data solely for K-12 school purposes as directed by schools, including:

  • To provide and maintain our roster sharing service
  • To generate QR codes that link to your uploaded rosters
  • To authenticate your account and protect your data
  • To organize rosters by school, sport, and season
  • To enable roster merging functionality for game-day use
  • To automatically expire rosters after 160 days for data minimization

Prohibited Uses of Student Data

In compliance with SOPPA, we DO NOT and WILL NOT:

  • Engage in targeted advertising based on student data
  • Use information to amass profiles about students for non-educational purposes
  • Sell, rent, or trade student personally identifiable information
  • Disclose covered information unless required by law or permitted under SOPPA
  • Use student data for any purpose other than the contracted educational services

Data Sharing and Disclosure

QR Code Access: When you generate a QR code for a roster, anyone with that QR code or link can view the roster content without logging in. This is by design to facilitate easy sharing on game days with officials, coaches, and authorized personnel.

Merged Rosters: Merged rosters are only visible to the user who created them.

Subcontractors: We use Vercel for hosting and Supabase for authentication. These service providers are contractually bound to maintain the confidentiality of student data.

We do not sell, trade, or otherwise transfer your personal information to third parties except as required by law or to protect our rights.

Data Retention and Deletion

Uploaded rosters are automatically set to expire after 160 days. After expiration, roster data is deleted from our systems.

School-Requested Deletion: Upon request from an authorized school representative, we will delete all student data associated with that school within 160 days.

Account information is retained until you request deletion of your account.

Data Security

We implement reasonable security procedures and practices appropriate to the nature of the student data, including:

  • Encrypted password storage using industry-standard hashing
  • HTTPS encryption for all data in transit
  • Secure, access-controlled file storage
  • User authentication required for roster management
  • Row-level security for database access

Data Breach Notification

In the event of an unauthorized release, disclosure, or acquisition of student data, we will notify affected schools within 30 days of confirming the breach. The notification will include the nature of the breach, types of data involved, and remediation steps taken.

School and Parent Rights

Schools and parents have the following rights regarding student data:

  • Access: Request to inspect student data we hold
  • Correction: Request correction of inaccurate student data
  • Deletion: Request deletion of student data
  • Export: Request a copy of student data in a commonly used format

To exercise these rights, contact us through your school administrator or athletic director.

Children's Privacy

Our service is intended for use by coaches, athletic directors, and school administrators. While rosters may contain information about student athletes, account creation is limited to authorized school personnel. We do not knowingly collect personal information directly from children under 13 without proper school authorization under SOPPA and COPPA.

Data Privacy Agreements

Before using Roster Access to store student data, schools should have a signed Data Privacy Agreement (DPA) in place. Please visit our SOPPA Compliance page for more information and to access our DPA template.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify schools of material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Schools will be notified of significant changes via email.

Contact Us

If you have any questions about this Privacy Policy, our SOPPA compliance, or our data practices, please contact us through your school administrator or athletic director.

← Back to Roster AccessView SOPPA Compliance